unifi gui with caddy2, no-ip and a raspi4

the need

The Other Day i needed a network controler for an old set of unifi ACs which i am reusing now to setup strong wlan in a our newly aquired retreat center.

As i reside 1 hour away from our beautiful retreat center, i want to be able to login into the controller over the internet to support the residents from home if needed.

flashing the raspi

i decided to go with the cheapest solution and buy a raspi 4b with 2gb ram which is enough for an headless ubuntu focal server running the unifi gui.

so i bought the raspi with a nice case including a fan a powercord and a 64GB SD Card.

Flashing with Ubuntu was really simple with raspberry pi imager:.

The imager lets you choose the os, downloads and copys the files correctly on the card. All you need is to put the card into the Pi, power it on and connect it with the wired network.
i choosed ubuntu focal 64.
I looked into my router and searched for the new device named ubuntu and its dhcp ip and ssh'd into the machine

first login

ssh -l ubuntu 192.168.xx.xxx

password for first login is ubuntu and after login you got to change this.

setting up no-ip

i have a paid no-ip account like forever, so i go with this but there are also other dyndns players around, as long as they have a arm linux clent your good to go.

i'll go with the good old example.humor.me domain for this article

download the noi-ip client source https://www.noip.com/download?page=linux

install the build-essential meta package

sudo apt install build-essential

and follow those instructions:
https://www.noip.com/support/knowledgebase/installing-the-linux-dynamic-update-client-on-ubuntu/

in brief:

become superuser, make and install the app

cd /usr/local/src/
wget http://www.noip.com/client/linux/noip-duc-linux.tar.gz
tar xf noip-duc-linux.tar.gz
make install

configure the client:

/usr/local/bin/noip2 -C

you have to enter your credentials and choose the domains you will update an its all set

to run this as a service i found this handy systemd service files which works perfectly

https://gist.github.com/NathanGiesbrecht/da6560f21e55178bcea7fdd9ca2e39b5

# Simple No-ip.com Dynamic DNS Updater
#
# By Nathan Giesbrecht (http://nathangiesbrecht.com)
#
# 1) Install binary as described in no-ip.com's source file (assuming results in /usr/local/bin)
# 2) Run sudo /usr/local/bin/noip2 -C to generate configuration file
# 3) Copy this file noip2.service to /etc/systemd/system/
# 4) Execute `sudo systemctl daemon-reload`
# 5) Execute `sudo systemctl enable noip2`
# 6) Execute `sudo systemctl start noip2`
#
# systemd supports lots of fancy features, look here (and linked docs) for a full list:
#   http://www.freedesktop.org/software/systemd/man/systemd.exec.html

[Unit]
Description=No-ip.com dynamic IP address updater
After=network.target
After=syslog.target

[Install]
WantedBy=multi-user.target
Alias=noip.service

[Service]
# Start main service
ExecStart=/usr/local/bin/noip2
Restart=always
Type=forking

depending on your network setup you have to forward port 80 and 443 to your controller in your Router

install unifi

to install the controller you can add the official apt repos to your sources.list, but there is this script from this dutch guy and i choose this
i looked through the script before using it and it seemed trustworthy to run it

https://github.com/SmokingCrop/UniFi/blob/master/install-unifi-pihole-English.sh

https://glennr.nl/s/unifi-network-controller

grab the script here and choose your desired version of the controller
https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-Ubuntu-16-04-18-04-/ccbc7530-dd61-40a7-82ec-22b17f027776

i just ran the script without option choosed the defaults except i skipped the letsencrypt part because i want to use caddy as reverse proxy and reach the controller with the normal https port 443. and the unifi gui is listening to 8443 and i dont wont a extra acme software on my pi if i can have it all done by caddy.

after you ran the script all should be runnning and you should be able to reach your controller with https://ipofyourpi:8443
Your browser will greet you with a certificate warning, because the default one of unifi is of course self-signed, if you ignore that for now the setup page will greet you then.
we leave it for now as it is and go to our final step: setup caddy

caddy2

I learned to love caddy1 as really simple and fast webserver in a K8s surrounding, as a go app, all its need is already compiles in the binary, no dependencies needed, easy to configure because it has already thoughtful and useful defaults, the config file called Caddyfile is really light and clear.
Caddy2 made alao more easier and the best thing is the auto tls feature which i was eager to try out ( in the K8s Cluster i maintain TLS Termination is already done by our haproxy)

So lets download the Binary from https://caddyserver.com/download and choose ARM64 as platform. we dont need any further plugin so were good to go.

we also want to run caddy2 as systemd service so i just followed the steps described here:

https://caddyserver.com/docs/install#linux-service

move the binary into your $PATH
i choose /usr/local/bin

sudo mv caddy /usr/local/bin/

Caddyfile

Configure Caddy with this simple Caddyfile,
reverse proxy all traffic and the websocket to the unifi port and accept the selsigned cert from unifi

example.humor.me
encode gzip
file_server

log {
     output file   /var/lib/caddy/caddy.log
   }

reverse_proxy  {
   to  https://localhost:8443
   transport http {
   tls_insecure_skip_verify
   tls
   }
}

@websockets {
    header Connection *Upgrade*
    header Upgrade websocket
}
reverse_proxy @websockets {
  to https://localhost:8443
  transport http {
  tls_insecure_skip_verify
  tls
 }
}

thats it !